Use OIDC Scope to limit the roles included in Offline Token and/or to enforce separation of duties?
by Peter K. Boucher
Suppose there are some limited families of APIs to which we would want users
to explicitly delegate access. We were thinking we could assign a role to
the user that allows the use of each of the families of APIs (say for
example that with the "quantum_singularity" role, they can use the
"tetrion_emission" APIs, and with the "borg_cube" role, they can use the
"culture_assimilation" APIs).
Can we (and if so, how best would we) use openid scope to
* Offline refresh tokens - Allow the user to delegate a 3rd-party app
to act on their behalf in an offline fashion that is limited to one, the
other, or both of the quantum_singularity and/or borg_cube roles?
* Separation of duties - (only partially-related question) Allow an
app to enforce separation of duties such that an online, logged-in user can
only have one or the other, but not both of the quantum_singularity and/or
borg_cube roles for the duration of a session?
I think I gathered from this thread in keycloak-dev
(http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
these things should be possible, but I was hoping to confirm and to get
pointers to docs with practical guidance for how best to do these two
things.
Thanks!
Regards,
Peter K. Boucher
7 years, 8 months
Re: [keycloak-user] User Storage SPI for multiple db
by Ilya Korol
As you can see in docs and examples there two main interfaces for
implementing User Storage Providers (USP):
UserStorageProvider and UserStorageProviderFactory, so any DAO should be
initialized within USPFactory concrete class and then be injected to
UserStorageProvider object within create() method of Fabric class.
For connecting with MySQL you could use any libraries as you usually do
it in other applications, but there could be some troubles with
packaging, because by default you lib jars(MySQL connectors etc.) will
not be linked with your USP, so for testing convenience you could add
those libs as modules to wildfly (where keycloak runs) and refer to them
in dependencies from USP deployment descriptor. Google jar module.xml
wildfly.
On 20.04.2017 20:15, rohit chaudhary wrote:
> Hi,
>
> Each db contains users which can be merged on basis of username. But I
> can't find an example to connect to mysql server using User storage
> SPI, being a newbie basically I'm having doubts on how to connect to
> mysql db.
>
> Thanks,
> Rohit
>
> On Wed, Apr 19, 2017 at 5:40 PM, Король Илья <llivezking(a)gmail.com
> <mailto:llivezking@gmail.com>> wrote:
>
> Hi. If every of your apps has separate users db what do you want
> to have
> in ideal circumstances? Do you databases include equal users? For
> example if you want to have "merged" user storage you could implement
> custom user storage for every db, so when user would be redirected to
> keycloak for login, keycloak will consecutively try to extract
> user data
> from this user storages. And you will have opportunity to set
> priorities
> of this storages in keycloak admin console.
>
> As for examples you should check examples from git repo and also
> carefully read tutorial in docs.
>
> Also your implementations could have ability to create users in
> keycloak
> itself on the fly while extracting users from user storages (so later
> you will have merged user db in keycloak). Dee details in docs (Server
> development -> User Storage Spi -> Import Implementation Strategy).
>
>
> 19.04.2017 11:35, rohit chaudhary пишет:
> > Hi,
> >
> > I am implementing Keycloak SSO for Django and .NET apps. I have
> a doubt on
> > how to go with the user database. All apps have separate db. How to
> > proceed? Need some suggestions and please refer some examples of
> custom
> > user storage SPI.
> >
> > Thanks,
> > Rohit
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
7 years, 8 months
Add new filter for RealmResourceProvider
by GU STONE
Hello,
I have some customized provider implements RealmResourceProvider, something likes this:
public class UserProvider implements RealmResourceProvider {
...
@Path("/{username}/pre-authentication")
@PUT
@Produces(MediaType.APPLICATION_JSON)
public Response validateAuthenticationRequest(@PathParam("username") String username, @HeaderParam("Authorization") String authorization) {
}
...
}
Everytime I put a rest call to this provider, and I can see 'keycloakSessionServletFilter' is already passed. My question is: Can I add extra filter after 'keycloakSessionServletFilter'? and How?
Thanks!
Stone
7 years, 8 months
javax.interceptor for implements of RealmResourceProvider
by GU STONE
Hello,
I have some customized ResourceProviders implements RealmResourceProvider (follow the example in keycloak: org.keycloak.examples.rest), something like this:
public class UserProvider implements RealmResourceProvider {
...
@Path("/{username}/pre-authentication")
@PUT
@Produces(MediaType.APPLICATION_JSON)
public Response validateAuthenticationRequest(@PathParam("username") String username, @HeaderParam("Authorization") String authorization) {
}
...
}
I also create Log Interceptor following the document here: https://docs.oracle.com/javaee/7/tutorial/cdi-adv006.htm, <https://docs.oracle.com/javaee/7/tutorial/cdi-adv006.htm> and add Log interceptor annotation in previous class like :
public class UserProvider implements RealmResourceProvider {
...
@Path("/{username}/pre-authentication")
@LogInterceptor
@PUT
@Produces(MediaType.APPLICATION_JSON)
public Response validateAuthenticationRequest(@PathParam("username") String username, @HeaderParam("Authorization") String authorization) {
}
...
}
But the Interceptor doesn't work. Do you have any ideas why?
Many Thanks!
Stone
25.6 Using Interceptors in CDI Applications - Java ...<https://docs.oracle.com/javaee/7/tutorial/cdi-adv006.htm>
docs.oracle.com
25.6 Using Interceptors in CDI Applications. An interceptor is a class used to interpose in method invocations or lifecycle events that occur in an associated target ...
7 years, 8 months
Re: [keycloak-user] Example of npm keycloak-connect with bearer or JWT
by Kevin Berendsen
Hi Austin,
The token stored in the session storage of the Node.js application is the JWT. If you program your application to output the stored token and parse it into the jwt.io website, you will be able to see the actual content of the token. This token is also used as bearer token.
The only reason to use the token as bearer token is when you wish to get access of cross origin resources that are protected by your Keycloak instance.
If you want to use your node.js application as your resource server, then configure the client in Keycloak to be a bearer-only client that accepts only bearer tokens in the HTTP Authorization header.
Things to do:
• Go to your Keycloak instance and configure your Client’s Access Type to ‘bearer-only’;
• Generate a new Keycloak.json file (docs of this configuration file [1])
• Remove the session store from the Keycloak object initialization [2]
And I believe that’s it.
[1] https://www.keycloak.org/docs/3.0/securing_apps/topics/oidc/java/java-ada...
[2] https://www.keycloak.org/docs/3.0/securing_apps/topics/oidc/nodejs-adapte...
Kind regards,
Kevin
--------------------------------------
Van: Austin Cunningham [mailto:aucunnin@redhat.com]
Verzonden: woensdag 19 april 2017 11:02
Aan: Kevin Berendsen <mailto:kevin.berendsen@pharmapartners.nl>
CC: mailto:keycloak-user@lists.jboss.org
Onderwerp: Re: [keycloak-user] Example of npm keycloak-connect with bearer or JWT
Hi Kevin,
Thanks for getting back to me , I have reviewed that example before , it seems to be using sessions , not bearer or jwt. Correct me if I am wrong I could be missing something. I was hoping to find an implementation of http://blog.keycloak.org/2015/10/authentication-of-clients-with-signed.html.
Regards
Austin
On 19 April 2017 at 08:32, Kevin Berendsen <mailto:kevin.berendsen@pharmapartners.nl> wrote:
Hi Austin,
I believe this example is what you're looking for. [1]
Make sure you read the README carefully.
[1] https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example
Kind regards,
Kevin
-----Oorspronkelijk bericht-----
Van: mailto:keycloak-user-bounces@lists.jboss.org [mailto:mailto:keycloak-user-bounces@lists.jboss.org] Namens Austin Cunningham
Verzonden: dinsdag 18 april 2017 16:54
Aan: mailto:keycloak-user@lists.jboss.org
Onderwerp: [keycloak-user] Example of npm keycloak-connect with bearer or JWT
Hi ,
I am looking for an example of JWT or Bearer implemented in Node.js with express js with Keycloak .
Regards,
Austin
_______________________________________________
keycloak-user mailing list
mailto:mailto:keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
mailto:keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
AUSTIN CUNNINGHAM
SOFTWARE ENGINEERING INTERN
https://www.redhat.com
Communications House, Cork Road, Waterford X91NY33
Ireland
mailto:aucunnin@redhat.com
https://red.ht/sig
7 years, 8 months
Retrieve User Information from Facebook
by Leonardo Nunes
Hi, how can I retreive Gender and Birthday from a User that logged in from Facebook?
The methods below returns null.
AccessToken.getGender()
AccessToken.getBirthdate()
Another thing, how do I identify with which social network has the user logged in?
--
Leonardo Nunes
________________________________
Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não poderá usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
7 years, 8 months
Spring adapters
by Brice
Hello guys!
I find Keycloak is a great product but I'd like to share with you some
thoughts about the Spring adapters.
First one is about token storage: by default all Spring adapters
(SpringBoot and Spring security) store all three tokens in the HTTP
session. JWT is great because it allows to propagate a trusted identity at
scale in a micro-service architecture: every service is able to verify the
token autonomously only by checking its signature; but if the store is the
HTTP session, it works only for single instance applications or you may be
back in the session replication hell for multiple instances...
Any way, the adapter offers the opportunity to store the tokens on the
client itself by concatenating the access token, the id token and the
refresh token in a single cookie separated by '__'. And it works... but the
size of the cookie is very closed to 4KB. This may seem small but at scale,
it may represent a huge bandwidth cost: imagine the overhead for a simple
'GET /api/any_resource/id + standard headers + 4KB'. It may be complicated
to use for some businesses like online gaming or retail for example.
In addition, if the Keycloak host name is something else than localhost
(i.e. longer, a real FQHN) and/or you add a few claims in the token, the
cookie weights more than 4KB, it is more than the limit allowed by the RFC
(https://tools.ietf.org/html/rfc6265#section-6.1) and the browser ignores
the cookie... thus there's no client storage (and I don't talk about
https://issues.jboss.org/browse/KEYCLOAK-4342 , but its fix is in
progress)!
I'm far from being a security expert, but it seems some people are totally
opposed to drop refresh token on the client because if it is stolen by an
attacker, it may be used for a while to generate access tokens.
So, all that points lead me to ask if we can think about a more flexible
way to store the client state? It would be great to have distinct stores
for refresh token and access token: it would give the opportunity to
release access token on the client and to store server side the refresh
token. The server side store might be implemented in many ways like the
current session store or let the developper provide its own: you can
imagine store the refresh token in a Redis cluster for example.
Another point is about the fact that the spring boot adapter isn't based on
Spring Security. It's surprising because it implies one implementation per
servlet container (instead of one for all) and may not work with Spring
5/Netty; but after discussing with @sebi2706 IRL at Devoxx France, he
explained that many users expect to user SpringBoot without Spring Security.
One more thing... 😜 The Spring Boot adapter doesn't support multi tenancy!
The need for which I'm currently working on mixes all this points : multi
tenancy, client side storage, scaling, etc. So I had to unweave half of the
components provided by the adapters to comply the requirements, but of
course it doesn't perform all checks like adapters do.
So guys, WDYT about all that stuff?
Best regards and thanks for your work!
Brice
7 years, 8 months
Any way to disable generation of refresh tokens?
by jim-keycloak@spudsoft.co.uk
Hi,
For many of our use cases we don't want the client to be using refresh
tokens.
Is there any way to prevent the creation of refresh tokens?
Ideally on a per-client basis.
Thanks.
Jim
7 years, 8 months
Need input on KEYCLOAK-4765
by John D. Ament
Hi
I was wondering if others had some input for me on
https://issues.jboss.org/browse/KEYCLOAK-4765 ?
In my use case, we have parts of our app that already use the query param
"access_token". These values are not a RSA signed bearer. I've locally
modified the client adapter code to disable checking for this header, per
deployment. I'm not sure that's the right approach. Would it make more
sense to ignore invalid access_tokens in Keycloak (and make that
configurable)? Or other ideas?
John
7 years, 8 months
Behavior of Keycloak when performing an upgrade.
by Reed Lewis
We are planning on implementing Keycloak with a very large dataset of users (in excess of 5 to 10 million). We are going to have a single SQL datastore running in Azure, with multiple keycloak servers pointing to that single datastore. The question that is being asked is what happens when we wish to upgrade keycloak from version xx to version yy (whatever the versions are I do not know). The questions are:
1. If the schema changes does Keycloak automatically handle that?
2. If there is schema changes, how long will that process take?
3. If there is no schema change can I shut down everything but one server, then shutdown the last one and start immediately a new one with the new software version?
So bottom line: What is the upgrade path for Keycloak for major version to major version or minor to minor or whatever?
Reed
This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone. Instead, destroy it and notify me by reply e-mail
7 years, 8 months
